--- a/wp/wp-includes/class-wp-recovery-mode-key-service.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/class-wp-recovery-mode-key-service.php	Fri Sep 05 18:40:08 2025 +0200
@@ -11,6 +11,7 @@
  *
  * @since 5.2.0
  */
+#[AllowDynamicProperties]
 final class WP_Recovery_Mode_Key_Service {
 
 	/**
@@ -37,7 +38,7 @@
 	 *
 	 * @since 5.2.0
 	 *
-	 * @global PasswordHash $wp_hasher
+	 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 	 *
 	 * @param string $token A token generated by {@see generate_recovery_mode_token()}.
 	 * @return string Recovery mode key.
@@ -84,12 +85,15 @@
 	 *
 	 * @since 5.2.0
 	 *
+	 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+	 *
 	 * @param string $token The token used when generating the given key.
 	 * @param string $key   The unhashed key.
 	 * @param int    $ttl   Time in seconds for the key to be valid for.
 	 * @return true|WP_Error True on success, error object on failure.
 	 */
 	public function validate_recovery_mode_key( $token, $key, $ttl ) {
+		global $wp_hasher;
 
 		$records = $this->get_keys();
 
@@ -105,7 +109,12 @@
 			return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
 		}
 
-		if ( ! wp_check_password( $key, $record['hashed_key'] ) ) {
+		if ( empty( $wp_hasher ) ) {
+			require_once ABSPATH . WPINC . '/class-phpass.php';
+			$wp_hasher = new PasswordHash( 8, true );
+		}
+
+		if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
 			return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
 		}